Other:​W32/Googkle

Details

Summary

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

The detection 'Googkle' refers to a malicious site first detected in late April 2005.
The site takes advantage of a possible spelling error a user might make when typing
the name of the popular search engine - 'Google.com'. The malicious site uses the
name 'Googkle.com'; a few related sites are also involved. Please do not visit these sites.The appropriate authorities have been notified.Once on the site, the user's system
is subjected to drive-by downloads - silent, unauthorized downloads of adware and
malicious programs. The user is then prompted to visit a website promoting anti-virus
programs and spyware cleaners for download. Unfortunately, the methods used for promotion
are malicious.

The sites are registered by persons using Russian names. In addition, several malicious
files downloaded from these websites have Russian texts.

Drive-by Downloads

When the 'googkle.com' is opened in a browser, it shows 2 popup windows that are linked
to the following websites:

www.ntsearch.com

toolbarpartner.com

The 'ntsearch.com' website downloads and runs the 'pop.chm' file; the 'toolbarpartner.com'
website downloads and runs the 'ddfs.chm' file. Both files are downloaded using exploits
and they contain exploits themselves to run embedded executable files.

one of the webpages of the 'toolbarpartner.com' website also downloads a file named
'pic10.jpg' using an exploit.

In addition, these websites launch a stream of webpages with different exploits, which
download and run 2 files from the 'daosearch.com' website:

web.exe

classload.jar

Execution

Once downloaded onto the computer, the malicious files execute.

JAR file

The actual malware functionality is in Installer.class, which downloads file from
the same location as the JAR file is being loaded.First, the applet looks for filename
to download from Applet parameter ModulePath (is specified in the HTML tag). If the
parameter is not specified the applet defaults to msxmidi.dat.After the file is downloaded
the applet gets the location of Windows directory with GetWindowsDirectory() and saves
the downloaded executable as 'web.exe' and executes it.

CHM files

The 'pop.chm' file drops the 'sp.exe' file (detected as 'Trojan.Win32.Spooner.f')
and runs it.The 'ddfs.chm' file drops the 'frame.exe' file (detected as 'Trojan-Downloader.Win32.Small.apf')
and runs it. The Small.apf trojan has functionality to automatically reply to security
questions asked by Windows to ensure that its process maintains connection to Internet.
This downloader downloads and runs the following files from the 'toolbarpartner.com'
website:

xz.exe - detected as Trojan-Dropper.Win32.Small.vv

ggl.exe

The 'xz.exe' file drops a DLL named 'winloadhh.dll'' (detected as 'Trojan-Downloader.Win32.Small.anu')
to the root folder of C: drive.The 'pic10.jpg' file dropped from the 'toolbarpartner.com'
website (actually an executable that replaces Windows Media Player application) drops
an identical component to the same location. The 'web.exe' file is identical to the
'pic10.jpg' file.

Downloads

Trojan-Downloader.Win32.Small.anu connects to 2 different websites to download malware:

From the 'sturfajtn.com' website:

next3.exe - detected as Backdoor.Win32.Zins.c

next1.exe - detected as Trojan-Spy.Win32.Banker.jk

next2.exe - detected as Trojan-Proxy.Win32.Small.bh

From the 'toolbarpartner.com' website:

svchosts.exe

winran.exe

toolbar.exe - installs an adware toolbar known as 'Perez'.

ggl.exe - detected as Trojan-Dropper.Win32.Small.vn

proxyrnd.exe - detected as Backdoor.Win32.Jeemp.c

ldr.exe - detected as Trojan-Downloader.Win32.Agent.lv

inst.exe - detected as Trojan-Dropper.Win32.Small.wp

The 'winran.exe' file is a trojan dropper that copies itself to Windows System folder
with a random name and drops a DLL also with a random name to the same folder. The
DLL modifies HOSTS file to block connection to the following websites:

downloads1.kaspersky-labs.com

downloads2.kaspersky-labs.com

downloads3.kaspersky-labs.com

downloads4.kaspersky-labs.com

download.mcafee.com

liveupdate.symantecliveupdate.com

liveupdate.symantec.com

update.symantec.com

The 'svchosts.exe' file is a trojan dropper that drops a DLL named 'svchosts.dll'
into Windows System folder. This DLL places a fake virus alert on a desktop. The alert
looks like that (original spelling preserved):

VIRUS ALERT! YOUR PC IS INFECTED! IT HAS BEEN DETECTED THAT YOUR PC HAS AT LEAST 3 DANGEROUS VIRUSES! TO KNOW FOR SURE YOU URGENTLY NEED TO RUN AN ANTIVIRUS TEST ON YOUR PC! The consequences of spyware and virus presence on your pc might belike: loosing all the data, data might be stolen, your secrets might beexposed. PROTECT YOUR PC! REMOVE ALL VIRUSES NOW!

This fake alert is created by placing the HTML file on a desktop, so a user could
click on the alert and go to a pre-defined website. The link from this fake alert
points to the following website:

topantivirus.biz

This website offers links to different websites that offer anti-virus and spyware
cleaners for download. The motto of this site is 'Top Antivirus - We help people.'.
Unfortunately the way people are directed to that website is somewhat deceptive.

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis